Posts

Smartphone App Forensics

4½ days

Background

Smartphone and tablet devices submitted to forensic units present a veritable treasure trove of potential evidence generated through the use of pre-installed “1st party” and user-installed 3rd party apps. Unfortunately the relentless evolution of new and existing 3rd party apps means that commercial forensic tools cannot realistically decode, interpret and report all of the data of interest to investigators.

Course aims

Android and iOS platforms both make extensive use of SQLite, a free open-source database platform, to store data relating to first and third party apps. Analysis of SQLite databases can recover live and deleted data as well as often overlooked binary data such as thumbnail images. In addition to SQLite databases, iOS devices make use of Property List (plist) files to store application data and mobile forensic examiners need to be skilled in analysing and reporting data from both file formats.

Smartphone App Forensics is a 4½ day course designed to teach students how to recover evidence from smartphone and tablet applications. This includes first party apps, but the emphasis will be on developing skills and techniques for working with 3rd party apps which are unsupported by commercial forensic tools. Students will gain experience of working with data recovered from iOS, Android, Windows Phone and BlackBerry devices.

What you will learn

By the end of the course, students will be able to:

  • Use appropriate tools to view and recover evidence from SQLite databases and Property List (plist) files
  • Recover evidence from smartphone apps that are unsupported by commercial forensic tools
  • Recover deleted data from smartphone apps on Android, iOS and Windows Phone devices
  • Recover and interpret web browsing and mobile satnav artefacts from Android, iOS and Windows Phone devices
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in phone forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Python Scripting 1

3 days

Course aims

As digital  forensic  examiners expand their knowledge and understanding of forensic artefacts within PCs, mobile phones and other devices, so they repeatedly encounter key evidence which is not appropriately reported by commercial forensic tools. ‘Python Scripting 1’ is a 3 day course designed to teach students how to start writing simple scripts in Python with a strong emphasis on those aspects of the language which are relevant to digital forensics.

What you will learn

By the end of the course, students will be able to:

  • Write short Python scripts to open and process files of evidential interest
  • Write short Python scripts to recover thumbnail images from input files
  • Write short Python scripts to recover evidence from SQLite databases
  • Write short Python scripts to produce text and comma separated value (CSV) output

Who should attend?

The course assumes no prior knowledge of Python or any previous programming experience; however delegates must have previous experience of working with raw (hex) data and be confident navigating such data within a hex editor. As such, delegates should have previously attended the Control-F Demystifying Hex Data training course (or equivalent).

Flash Memory Chip Removal (“chip off”)

4½ days

Background

Password-protected, damaged and unsupported devices can pose significant challenges to digital forensic units tasked with evidence recovery. In some situations the only viable option for recovery of evidence is the removal and reading of flash memory chips located within the device (“chip-off”). With the majority of modern devices utilising eMMC flash memory chips, chip-off has established itself as a cost effective method for dealing with locked and unsupported Android & Windows Phone devices.

Course aims

Successful removal of flash memory chips requires appropriate equipment and skilled techniques to ensure that the chip is not damaged during removal and that a full read of the device can be obtained. Flash Memory Chip Removal is a 4½ day course designed to teach delegates how to identify flash memory chips within electronic devices, safely de-solder these chips and extract the data they contain.

Specifically, delegates will learn techniques to assist in re-soldering flash memory chips to the device circuit board after data has been extracted from the chip. This process is ideally suited to locked devices where the PIN or password can be recovered from the extracted data and then entered into the re-assembled device in order to perform a manual or logical extraction.

Delegates will work with Android and Nokia Lumia models for which physical extractions cannot be performed with commercial forensic tools or direct eMMC (ISP) as these devices are most likely to require chip-off in order to extract data. In addition, delegates will gain experience in removing and reading UFS chips from Samsung Galaxy S6 devices.

What you will learn

By the end of the course, students will be able to:

  • Safely remove flash memory chips from Printed Circuit Boards (PCBs) of mobile devices
  • Successfully clean and “re-ball” flash memory chips in preparation for data recovery
  • Recover the contents of flash memory chips using appropriate software and hardware
  • Explain & justify their actions in court.

Who should attend?

Although previous experience of working with raw hex data from digital devices would be advantageous, it is not essential. Due to the close-up nature of the work, it is essential that delegates have very good eyesight and a steady hand! Previous experience of soldering would be beneficial but is by no means essential.

Demystifying Hex Data

3½ days

Background

Mobile forensic software tools extract data from mobile devices and present that data on screen for analysis, typically by means of a simple point-and-click interface. Such tools provide great benefits in simplifying both the acquisition and analysis phases of a mobile device examination, thereby allowing more devices to be processed in less time. However, this simplification has its drawbacks, most notably that forensic examiners are less likely to encounter, and therefore understand, the raw data stored on the device. This lack of understanding fundamentally limits an examiner’s ability to present evidence with confidence.

Course aims

Demystifying Hex Data is a 3½ day course designed to give existing mobile forensic examiners a true understanding of the data recovered and decoded by forensic software tools.

Delegates will learn the fundamental encodings used for time and date information, text data (ASCII and Unicode) as well as the vital role played by file signatures in digital forensics.

Students will gain extensive experience in working with raw data within a hex editor: understanding offsets, Endian-ness, using regular expressions to search large device extractions, manually carving data of interest and then making sense of that data.

Developing an in-depth understanding of how mobile devices actually store data enables mobile forensic examiners to not only corroborate the evidence presented by commercial forensic tools, but also to recover and present evidence which such tools may have missed.

What you will learn

By the end of the course, students will be able to:

  • Confidently navigate raw data within a hex viewer and manually carve data of interest
  • Construct regular expressions to search for deleted media files within a physical extraction
  • Identify and interpret data encoded using Little Endian and Big Endian byte ordering
  • Attempt manual repair of unplayable MP4/3GP/MOV video files
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in mobile device forensics. Ideally delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics course (or equivalent).

Advanced Smartphone & Tablet Acquisition

4½ days

Background

The prevalence of smartphone and tablet devices is a mixed blessing for digital forensic units. On the one hand, iPhone, iPad and Android devices can provide a wealth of information about the owner’s communication, associates and whereabouts; but at the same time the built-in security mechanisms provided by such devices often present a significant challenge.

Course aims

Many Android apps exclude themselves from the backup mechanisms used by commercial forensic tools and additionally, device manufacturers and 3rd party app developers provide easy to use app protection and data hiding features. It is increasingly important that mobile forensic examiners can assess the completeness of extractions and take necessary steps to recover missing, hidden or protected data.

Not only is data being more tightly secured within mobile devices, increasing amounts of data are being stored in the cloud, either by the device itself or by apps installed on it. Today’s forensic examiners need to be aware of the breadth and depth of data held within the cloud and how it can be recovered for evidential use.

Advanced Smartphone & Tablet Acquisition is a 4½ day course designed to teach attendees how to ensure maximum evidence recovery. Delegates will learn how to identify and recover evidence from encrypted PC backups of iOS devices and use the Google Android SDK to recover data from any Android device. Importantly, delegates will gain hands-on experience in recovering data for apps such as WhatsApp and Facebook Messenger which exclude themselves from the backup process as well as techniques for dealing with data hiding mechanisms including Samsung Secure Folder and Huawei PrivateSpace. In addition to device extraction techniques, delegates will gain practical experience in the potential benefits of, and obstacles to, recovering cloud-based data.

What you will learn

By the end of the course, students will be able to:

  • Use ADB commands to connect to and recover data from Android devices
  • Recover evidence from PC backups of iOS & Android devices
  • Extract messaging app data from Huawei devices
  • Identify the use of data hiding techniques on Android devices which may prevent data extraction via forensic tools
  • Explain and justify their actions in court

Who should attend?

This course is targeted at existing phone examiners who have at least 6 months experience in mobile device forensics. Ideally, delegates would have previously attended the Control-F Foundation in Mobile Phone Forensics (or equivalent).

Foundation in Mobile Phone Forensics

4½ days

Course information

This 4½ day, entry level course is targeted at those just starting out in mobile forensics, or existing mobile device examiners who have not had the benefit of formal training.

Course aims

Foundation in Mobile Phone Forensics is a 4½ day training course designed to teach prospective or existing mobile phone examiners how to examine mobile devices in accordance with the ACPO Principles of Digital Computer Based Evidence. Without appropriate training, there is a significant risk that evidence may be lost or altered during the examination process, or that the examiner is discredited in court. The course will provide delegates with exposure to, and hands-on experience with, market leading phone forensic tools.

What you will learn

By the end of the course, students will be able to:

  • Safely retrieve evidence from SIM cards, mobile phone handsets and memory cards using forensic software tools
  • Identify key potential evidence which is not recovered by software tools and capture it in an appropriate way
  • Implement or enhance local standard operating procedures for the examination of mobile devices within their organisation
  • Explain and justify their actions in court

Who should attend?

This entry level course is targeted at those just starting out in mobile phone forensics, or existing mobile phone examiners who have not had the benefit of formal training.